• Search for:
    28Nov, 2023
    How to Practically Reduce Indie AI Tool Security Risks

    Having explored the risks of indie AI, Thacker recommends CISOs and cybersecurity teams focus on the fundamentals to prepare their organization for AI tools:

    1. Don’t Neglect Standard Due Diligence

    We start with the basics for a reason. Ensure someone on your team, or a member of Legal, reads the terms of services for any AI tools that employees request. Of course, this isn’t necessarily a safeguard against data breaches or leaks, and indie vendors may stretch the truth in hopes of placating enterprise customers. But thoroughly understanding the terms will inform your legal strategy if AI vendors break service terms.

    2. Consider Implementing (Or Revising) Application And Data Policies 

    An application policy provides clear guidelines and transparency to your organization. A simple “allow-list” can cover AI tools built by enterprise SaaS providers, and anything not included falls into the “disallowed” camp. Alternatively, you can establish a data policy that dictates what types of data employees can feed into AI tools. For example, you can forbid inputting any form of intellectual property into AI programs, or sharing data between your SaaS systems and AI apps.

    3. Commit To Regular Employee Training And Education

    Few employees seek indie AI tools with malicious intent. The vast majority are simply unaware of the danger they’re exposing your company to when they use unsanctioned AI.

    Provide frequent training so they understand the reality of AI tools data leaks, breaches, and what AI-to-SaaS connections entail. Trainings also serve as opportune moments to explain and reinforce your policies and software review process.

    4. Ask The Critical Questions In Your Vendor Assessments

    As your team conducts vendor assessments of indie AI tools, insist on the same rigor you apply to enterprise companies under review. This process must include their security posture and compliance with data privacy laws. Between the team requesting the tool and the vendor itself, address questions such as:

    • Who will access the AI tool? Is it limited to certain individuals or teams? Will contractors, partners, and/or customers have access?
    • What individuals and companies have access to prompts submitted to the tool? Does the AI feature rely on a third party, a model provider, or a local model?
    • Does the AI tool consume or in any way use external input? What would happen if prompt injection payloads were inserted into them? What impact could that have?
    • Can the tool take consequential actions, such as changes to files, users, or other objects?
    • Does the AI tool have any features with the potential for traditional vulnerabilities to occur (such as SSRF, IDOR, and XSS mentioned above)? For example, is the prompt or output rendered where XSS might be possible? Does web fetching functionality allow hitting internal hosts or cloud metadata IP?

    AppOmni, a SaaS security vendor, has published a series of CISO Guides to AI Security that provide more detailed vendor assessment questions along with insights into the opportunities and threats AI tools present.

    5. Build Relationships and Make Your Team (and Your Policies) Accessible

    CISOs, security teams, and other guardians of AI and SaaS security must present themselves as partners in navigating AI to business leaders and their teams. The principles of how CISOs make security a business priority break down to strong relationships, communication, and accessible guidelines.

    Showing the impact of AI-related data leaks and breaches in terms of dollars and opportunities lost makes cyber risks resonate with business teams. This improved communication is critical, but it’s only one step. You may also need to adjust how your team works with the business.

    Whether you opt for application or data allow lists — or a combination of both — ensure these guidelines are clearly written and readily available (and promoted). When employees know what data is allowed into an LLM, or which approved vendors they can choose for AI tools, your team is far more likely to be viewed as empowering, not halting, progress. If leaders or employees request AI tools that fall out of bounds, start the conversation with what they’re trying to accomplish and their goals. When they see you’re interested in their perspective and needs, they’re more willing to partner with you on the appropriate AI tool than go rogue with an indie AI vendor.

    The best odds for keeping your SaaS stack secure from AI tools over the long term is creating an environment where the business sees your team as a resource, not a roadblock.

    Resource : https://thehackernews.com/2023/11/ai-solutions-are-new-shadow-it.html

    28Nov, 2023
    How to Handle Retail SaaS Security on Cyber Monday

    If forecasters are right, over the course of today, consumers will spend $13.7 billion. Just about every click, sale, and engagement will be captured by a CRM platform. Inventory applications will trigger automated re-orders; communication tools will send automated email and text messages confirming sales and sharing shipping information.

    SaaS applications supporting retail efforts will host nearly all of this behind-the-scenes activity. While retailers are rightfully focused on sales during this time of year, they need to ensure that the SaaS apps supporting their business operations are secure. No one wants a repeat of one of the biggest retail cyber-snafus in history, like when one U.S.-based national retailer had 40 million credit card records stolen.

    The attack surface is vast and retailers must remain vigilant in protecting their entire SaaS app stack. For example, many often use multiple instances of the same application. They may use a different Salesforce tenant for every region they operate in or have different tenants for each line of business. Each one of these tenants must set up their configurations independently, with each one limiting risk and meeting corporate standards.

    Here are a few areas retailers should focus on to ensure their SaaS Security over the entire holiday season.

    Control Privileges & Access in Your App Stack

    Access Control settings are particularly important to retailers. They limit who can enter an application and the privileges those users will have once inside the app. Limit access and visibility to sensitive data to those who requrie it to perform their job functions. Creating role-based access and monitoring employees to ensure they have an appropriate level of access based on their role is a key step in reducing the risk level.

    One additional area worth reviewing is access granted to former employees. Former employees should almost always be deprovisioned as part of the offboarding process. When applications are connected to an SSO and access is only through that SSO, the offboarding is automatic. Unfortunately, many retailers have apps that either sit outside the SSO or allow employees to log in locally. In those circumstances, employees must have their access removed manually from each application.

    Prevent Data Leaks

    Pricing information is one of the most sensitive pieces of information retailers have. While web crawlers may have access to published prices, it’s of paramount importance to protect future pricing strategies and plans. During the holiday season, when competitors are looking for every pricing and promotion advantage, securing this information behind serious data leakage protection is a top priority.

    When available, turn on encryption settings to prevent unauthorized users from viewing your critical data. Turn off the ability to share or email files outside the organization and require some form of user authentication before users can access boards, spreadsheets, and databases.

    Protecting customer information from leaks should be another high priority for retailers. Nothing will drive customers away from your website than reports of personal information, such as PII (Personal Identifiable Information) and payment information, being leaked. Harden security settings to prevent unauthorized data leaks from the application.

    Defend Against Insider Threats

    Unfortunately, we live in an era of insider threats. In Adaptive Shield’s annual survey, 43% of respondents said they had experienced corporate espionage or an insider attack within their SaaS stack. Preventing these types of attacks are notoriously difficult, as authorized users log in with verified credentials and their nefarious activities are all within the parameters of their access.

    For retailers, monitoring user activity is one way to detect threats before they turn into full-blown breaches. Using an Identity Threat Detection & Response (ITDR) tool that monitors and analyzes user behavior can identify these threat actors. , retailers can detect a user’s behavioral anomalies. By analyzing behavioral anomalies, which might include accessing data during unusual times or downloading an unusual amount of data, retailers can uncover insider threats and protect themselves.

    Automate SaaS Security to Secure Applications 

    Some retailers may monitor these settings and behaviors manually or with older technologies like CASBs. Neither of those approaches are likely to be effective. SaaS settings can change without notice, and it’s far too easy to miss the signs of insider threats.

    SaaS Security Posture Management (SSPM) tools, like Adaptive Shield are the only effective way for retailers to secure their whole SaaS stack. They automatically and continually monitor settings, even over the busy holiday season, to detect and identify misconfigurations, unauthorized access, and users that need to be fully deprovisioned.

    Using an SSPM, retailers can move ahead confidently, knowing that every tenant of their applications in every country they operate is secure. They can update strategies, retain customer data, and monitor users to prevent insider attacks.

    Resource : https://thehackernews.com/2023/11/how-to-handle-retail-saas-security-on.html

    27Nov, 2023
    6 Steps to Accelerate Cybersecurity Incident Response

    Modern security tools continue to improve in their ability to defend organizations’ networks and endpoints against cybercriminals. But the bad actors still occasionally find a way in.

    Security teams must be able to stop threats and restore normal operations as quickly as possible. That’s why it’s essential that these teams not only have the right tools but also understand how to effectively respond to an incident. Resources like an incident response template can be customized to define a plan with roles and responsibilities, processes and an action item checklist.

    But preparations can’t stop there. Teams must continuously train to adapt as threats rapidly evolve. Every security incident must be harnessed as an educational opportunity to help the organization better prepare for — or even prevent — future incidents.

    SANS Institute defines a framework with six steps to a successful IR.

    1. Preparation
    2. Identification
    3. Containment
    4. Eradication
    5. Recovery
    6. Lessons learned

    While these phases follow a logical flow, it’s possible that you’ll need to return to a previous phase in the process to repeat specific steps that were done incorrectly or incompletely the first time.

    Yes, this slows down the IR. But it’s more important to complete each phase thoroughly than to try to save time expediting steps.

    1: Preparation

    Goal: Get your team ready to handle events efficiently and effectively.

    Everybody with access to your systems needs to be prepared for an incident — not just the incident response team. Human error is to blame for most cybersecurity breaches. So the first and most important step in IR is to educate personnel about what to look for. Leveraging a templated incident response plan to establish roles and responsibilities for all participants — security leaders, operations managers, help desk teams, identity and access managers, as well as audit, compliance, communications, and executives — can ensure efficient coordination.

    Attackers will continue to evolve their social engineering and spear phishing techniques to try to stay one step ahead of training and awareness campaigns. While most everybody now knows to ignore a poorly written email that promises a reward in return for a small up-front payment, some targets will fall victim to an off-hours text message pretending to be their boss asking for help with a time-sensitive task. To account for these adaptations, your internal training must be updated regularly to reflect the latest trends and techniques.

    Your incident responders — or security operations center (SOC), if you have one — will also require regular training, ideally based on simulations of actual incidents. An intensive tabletop exercise can raise adrenaline levels and give your team a sense of what it’s like to experience a real-world incident. You might find that some team members shine when the heat is on, while others require additional training and guidance.

    Another part of your preparation is outlining a specific response strategy. The most common approach is to contain and eradicate the incident. The other option is to watch an incident in progress so you can assess the attacker’s behavior and identify their goals, assuming this does not cause irreparable harm.

    Beyond training and strategy, technology plays a huge role in incident response. Logs are a critical component. Simply put, the more you log, the easier and more efficient it will be for the IR team to investigate an incident.

    Also, using an endpoint detection and response (EDR) platform or extended detection and response (XDR) tool with centralized control will let you quickly take defensive actions like isolating machines, disconnecting them from the network, and executing counteracting commands at scale.

    Other technology needed for IR includes a virtual environment where logs, files, and other data can be analyzed, along with ample storage to house this information. You don’t want to waste time during an incident setting up virtual machines and allocating storage space.

    Finally, you’ll need a system for documenting your findings from an incident, whether that’s using spreadsheets or a dedicated IR documentation tool. Your documentation should cover the timeline of the incident, what systems and users were impacted, and what malicious files and indicators of compromise (IOC) you discovered (both in the moment and retrospectively).

    2: Identification

    Goal: Detect whether you have been breached and collect IOCs.

    There are a few ways you can identify that an incident has occurred or is currently in progress.

    • Internal detection: an incident can be discovered by your in-house monitoring team or by another member of your org (thanks to your security awareness efforts), via alerts from one or more of your security products, or during a proactive threat hunting exercise.
    • External detection: a third-party consultant or managed service provider can detect incidents on your behalf, using security tools or threat hunting techniques. Or a business partner may see anomalous behavior that indicates a potential incident.
    • Exfiltrated data disclosed: the worst-case scenario is to learn that an incident has occurred only after discovering that data has been exfiltrated from your environment and posted to internet or darknet sites. The implications are even worse if such data includes sensitive customer information and the news leaks to the press before you have time to prepare a coordinated public response.

    No discussion about identification would be complete without bringing up alert fatigue.

    If the detection settings for your security products are dialed too high, you will receive too many alerts about unimportant activities on your endpoints and network. That is a great way to overwhelm your team and can result in many ignored alerts.

    The reverse scenario, where your settings are dialed too low, is equally problematic because you might miss critical events. A balanced security posture will provide just the right number of alerts so you can identify incidents worthy of further investigation without suffering alert fatigue. Your security vendors can help you find the right balance and, ideally, automatically filter alerts so your team can focus on what matters.

    During the identification phase, you will document all indicators of compromise (IOCs) gathered from alerts, such as compromised hosts and users, malicious files and process, new registry keys, and more.

    Once you have documented all IOCs, you will move to the containment phase.

    3: Containment

    Goal: Minimize the damage.

    Containment is as much a strategy as it is a distinct step in IR.

    You will want to establish an approach fit for your specific organization, keeping both security and business implications in mind. Although isolating devices or disconnecting them from the network may prevent an attack from spreading across the organization, it could also result in significant financial damage or other business impact. These decisions should be made ahead of time and clearly articulated in your IR strategy.

    Containment can be broken down into both short- and long-term steps, with unique implications for each.

    • Short-term: This includes steps you might take in the moment, like shutting down systems, disconnecting devices from the network, and actively observing the threat actor’s activities. There are pros and cons to each of these steps.
    • Long-term: The best-case scenario is to keep infected system offline so you can safely move to the eradication phase. This isn’t always possible, however, so you may need to take measures like patching, changing passwords, killing specific services, and more.

    During the containment phase you will want to prioritize your critical devices like domain controllers, file servers, and backup servers to ensure they haven’t been compromised.

    Additional steps in this phase include documenting which assets and threats were contained during the incident, as well as grouping devices based on whether they were compromised or not. If you are unsure, assume the worst. Once all devices have been categorized and meet your definition of containment, this phase is over.

    Bonus step: Investigation

    Goal: Determine who, what, when, where, why, how.

    At this stage it is worth noting another important aspect of IR: investigation.

    Investigation takes place throughout the IR process. While not a phase of its own, it should be kept in mind as each step is performed. Investigation aims to answer questions about which systems were accessed and the origins of a breach. When the incident has been contained, teams can facilitate thorough investigation by capturing as much relevant data as possible from sources like disk and memory images, and logs.

    This flowchart visualizes the overall process:

    You may be familiar with the term digital forensics and incident response (DFIR) but it’s worth noting that the goals of IR forensics differ from the goals of traditional forensics. In IR the primary goal of forensics is to help progress from one phase to the next as efficiently as possible in order to resume normal business operations.

    Digital forensics techniques are designed to extract as much useful information as possible from any evidence captured and turn it into useful intelligence that can help build a more complete picture of the incident, or even to aid in the prosecution of a bad actor.

    Data points that add context to discovered artifacts might include how the attacker entered the network or moved around, which files were accessed or created, what processes were executed, and more. Of course, this can be a time-consuming process that might conflict with IR.

    Notably, DFIR has evolved since the term was first coined. Organizations today have hundreds or thousands of machines, each of which has hundreds of gigabytes or even multiple terabytes of storage, so the traditional approach of capturing and analyzing full disk images from all compromised machines is no longer practical.

    Current conditions require a more surgical approach, where specific information from each compromised machine is captured and analyzed.

    4: Eradication

    Goal: Make sure the threat is completely removed.

    With the containment phase complete, you can move to eradication, which can be handled through either disk cleaning, restoring to a clean backup, or full disk reimaging. Cleaning entails deleting malicious files and deleting or modifying registry keys. Reimaging means reinstalling the operating system.

    Before taking any action, the IR team will want to refer to any organizational policies that, for example, call for specific machines to be reimaged in the event of a malware attack.

    As with earlier steps, documentation plays a role in eradication. The IR team should carefully document the actions taken on each machine to ensure that nothing was missed. As an additional check you can perform active scans of your systems for any evidence of the threat after the eradication process is complete.

    5: Recovery

    Goal: Get back to normal operations.

    All your efforts have been leading here! The recovery phase is when you can resume business as usual. Determining when to restore operations is the key decision at this point. Ideally, this can happen without delay, but it may be necessary to wait for your organization’s off-hours or other quiet period.

    One more check to verify that there aren’t any IOCs left on the restored systems. You will also need to determine if the root cause still exists and implement the appropriate fixes.

    Now that you have learned about this type of incident, you’ll be able to monitor for it in the future and establish protective controls.

    6: Lessons learned

    Goal: Document what happened and improve your capabilities.

    Now that the incident is comfortably behind you, it’s time to reflect on each major IR step and answer key questions, there are plenty of questions and aspects that should be asked and reviewed, below are a few examples:

    • Identification: How long did it take to detect the incident after the initial compromise occurred?
    • Containment: How long did it take to contain the incident?
    • Eradication: After eradication, did you still find any signs of malware or compromise?

    Probing these will help you step back and reconsider fundamental questions like: Do we have the right tools? Is our staff appropriately trained to respond to incidents?

    Then the cycle returns to the preparation, where you can make necessary improvements like updating your incident response plan template, technology and processes, and providing your people with better training.

    4 pro tips to stay secure

    Let’s conclude with four final suggestions to bear in mind:

    1. The more you log, the easier investigation will be. Make sure you log as much as possible to save money and time.
    2. Stay prepared by simulating attacks against your network. This will reveal how your SOC team analyzes alerts and their ability to communicate – which is critical during a real incident.
    3. People are integral to your org’s security posture. Did you know 95% of cyber breaches are caused by human error? That’s why it’s important to perform periodic training for two groups: end users and your security team.
    4. Consider having a specialized 3rd party IR Team on call that can immediately step in to help with more difficult incidents that may be beyond your team’s ability to resolve. These teams, which may have resolved hundreds of incidents will have the IR experience and tools necessary to hit the ground running and accelerate your IR.

    Resource : https://thehackernews.com/2023/11/6-steps-to-accelerate-cybersecurity.html

    27Nov, 2023
    Critical Vulnerabilities Expose ownCloud Users to Data Breaches

    The maintainers of the open-source file-sharing software ownCloud have warned of three critical security flaws that could be exploited to disclose sensitive information and modify files.

    A brief description of the vulnerabilities is as follows –

    • Disclosure of sensitive credentials and configuration in containerized deployments impacting graphapi versions from 0.2.0 to 0.3.0. (CVSS score: 10.0)
    • WebDAV Api Authentication Bypass using Pre-Signed URLs impacting core versions from 10.6.0 to 10.13.0 (CVSS score: 9.8)
    • Subdomain Validation Bypass impacting oauth2 prior to version 0.6.1 (CVSS score: 9.0)

    “The ‘graphapi’ app relies on a third-party library that provides a URL. When this URL is accessed, it reveals the configuration details of the PHP environment (phpinfo),” the company said of the first flaw.

    “This information includes all the environment variables of the web server. In containerized deployments, these environment variables may include sensitive data such as the ownCloud admin password, mail server credentials, and license key.”

    As a fix, ownCloud is recommending to delete the “owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php” file and disable the ‘phpinfo’ function. It is also advising users to change secrets like the ownCloud admin password, mail server and database credentials, and Object-Store/S3 access keys.

    The second problem makes it possible to access, modify or delete any file sans authentication if the username of the victim is known and the victim has no signing-key configured, which is the default behavior.

    Lastly, the third flaw relates to a case of improper access control that allows an attacker to “pass in a specially crafted redirect-url which bypasses the validation code and thus allows the attacker to redirect callbacks to a TLD controlled by the attacker.”

    Besides adding hardening measures to the validation code in the oauth2 app, ownCloud has suggested that users disable the “Allow Subdomains” option as a workaround.

    The disclosure comes as a proof-of-concept (PoC) exploit has been released for a critical remote code execution vulnerability in the CrushFTP solution (CVE-2023-43177) that could be weaponized by an unauthenticated attacker to access files, run arbitrary programs on the host, and acquire plain-text passwords.

    The issue, discovered and reported by Converge security researcher Ryan Emmons, has been addressed in CrushFTP version 10.5.2, which was released on August 10, 2023.

    “This vulnerability is critical because it does NOT require any authentication,” CrushFTP noted in an advisory released at the time. “It can be done anonymously and steal the session of other users and escalate to an administrator user.”

    Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.

    Resoruce : https://thehackernews.com/2023/11/warning-3-critical-vulnerabilities.html

    25Nov, 2023
    Zimbra Zero-Day Exploited to Hack Government Emails

    Google’s Threat Analysis Group (TAG) revealed on Thursday that a Zimbra Collaboration Suite zero-day was exploited earlier this year to steal email data from government organizations in several countries. 

    The existence of the vulnerability, tracked as CVE-2023-37580, became public in mid-July, when Zimbra notified customers of its email server solution. 

    The flaw, described as a reflected cross-site scripting (XSS) bug, allows an attacker to execute malicious code by sending emails containing specially crafted URLs to the targeted organization. 

    In order for the exploit to be successfully executed, the targeted user needs to click on the malicious link while they are authenticated to a Zimbra session.

    Shortly after Zimbra announced an official patch on July 25, Google’s TAG warned that in-the-wild exploitation had been observed, but did not share any information about the attacks. 

    The internet giant has now revealed that it saw the first campaign exploiting CVE-2023-37580 on June 29. This campaign was aimed at a government organization in Greece and the attacker leveraged a previously documented framework to steal emails and attachments. The framework can also be used to automatically forward emails to addresses controlled by the attacker.

    Roughly one week after Google spotted this campaign, on July 5, Zimbra published a hotfix for the vulnerability to its GitHub repository, but an official patch had yet to be released.

    Then, on July 11, Google observed a second campaign exploiting the Zimbra zero-day, this time targeting government organizations in Moldova and Tunisia. The company linked the attacks to Winter Vivern, a Russian APT known for using Zimbra exploits, including in attacks aimed at NATO countries. 

    Zimbra published a security advisory on July 13 to warn customers about the vulnerability. However, before the official patch was released on July 25, Google came across a third campaign, which targeted a government organization in Vietnam. In this case, the attacker leveraged the exploit to take users to a phishing page that instructed them to enter their webmail credentials.

    After the patch was released by Zimbra, Google spotted a fourth campaign, targeting a government organization in Pakistan.

    “The discovery of at least four campaigns exploiting CVE-2023-37580, three campaigns after the bug first became public, demonstrates the importance of organizations applying fixes to their mail servers as soon as possible,” Google said. 

    It added, “These campaigns also highlight how attackers monitor open-source repositories to opportunistically exploit vulnerabilities where the fix is in the repository, but not yet released to users. The actors behind Campaign #2 began exploiting the bug after the fix was pushed to Github, but before Zimbra publicly released the advisory with remediation advice.”

    Resource : https://www.securityweek.com/zimbra-zero-day-exploited-to-hack-government-emails/

    25Nov, 2023
    NASA’s Webb reveals new features in heart of Milky Way

    The latest image from NASA’s James Webb Space Telescope shows a portion of the dense center of our galaxy in unprecedented detail, including never-before-seen features astronomers have yet to explain. The star-forming region, named Sagittarius C (Sgr C), is about 300 light-years from the Milky Way’s central supermassive black hole, Sagittarius A*.

    The latest image from NASA’s James Webb Space Telescope shows a portion of the dense center of our galaxy in unprecedented detail, including never-before-seen features astronomers have yet to explain. The star-forming region, named Sagittarius C (Sgr C), is about 300 light-years from the Milky Way’s central supermassive black hole, Sagittarius A*.

    “There’s never been any infrared data on this region with the level of resolution and sensitivity we get with Webb, so we are seeing lots of features here for the first time,” said the observation team’s principal investigator Samuel Crowe, an undergraduate student at the University of Virginia in Charlottesville.

    “Webb reveals an incredible amount of detail, allowing us to study star formation in this sort of environment in a way that wasn’t possible previously.”

    “The galactic center is the most extreme environment in our Milky Way galaxy, where current theories of star formation can be put to their most rigorous test,” added professor Jonathan Tan, one of Crowe’s advisors at the University of Virginia.

    Protostars

    Amid the estimated 500,000 stars in the image is a cluster of protostars — stars that are still forming and gaining mass — producing outflows that glow like a bonfire in the midst of an infrared-dark cloud.

    At the heart of this young cluster is a previously known, massive protostar over 30 times the mass of our Sun.

    The cloud the protostars are emerging from is so dense that the light from stars behind it cannot reach Webb, making it appear less crowded when in fact it is one of the most densely packed areas of the image.

    Smaller infrared-dark clouds dot the image, looking like holes in the starfield.

    That’s where future stars are forming.

    Webb’s NIRCam (Near-Infrared Camera) instrument also captured large-scale emission from ionized hydrogen surrounding the lower side of the dark cloud, shown cyan-colored in the image.

    Typically, Crowe says, this is the result of energetic photons being emitted by young massive stars, but the vast extent of the region shown by Webb is something of a surprise that bears further investigation.

    Another feature of the region that Crowe plans to examine further is the needle-like structures in the ionized hydrogen, which appear oriented chaotically in many directions.

    “The galactic center is a crowded, tumultuous place. There are turbulent, magnetized gas clouds that are forming stars, which then impact the surrounding gas with their outflowing winds, jets, and radiation,” said Rubén Fedriani, a co-investigator of the project at the Instituto Astrofísica de Andalucía in Spain.

    “Webb has provided us with a ton of data on this extreme environment, and we are just starting to dig into it.”

    Around 25,000 light-years from Earth, the galactic center is close enough to study individual stars with the Webb telescope, allowing astronomers to gather unprecedented information on how stars form, and how this process may depend on the cosmic environment, especially compared to other regions of the galaxy.

    For example, are more massive stars formed in the center of the Milky Way, as opposed to the edges of its spiral arms?

    “The image from Webb is stunning, and the science we will get from it is even better,” Crowe said. “Massive stars are factories that produce heavy elements in their nuclear cores, so understanding them better is like learning the origin story of much of the universe.”

    Resource : https://www.sciencedaily.com/releases/2023/11/231121175511.htm

    24Nov, 2023
    Introducing Bambdas

    You’ve might have heard of Lambdas. But have you heard of Bambdas? They’re a unique new way to customize Burp Suite directly from the UI, using only small snippets of Java.

    Changing the face of Burp Suite

    The introduction of Bambdas exposes some of the core “behind the scenes” functionality of Burp Suite for the very first time. In essence, as the feature is rolled out across various tools within Burp Suite, you’ll be able to customize Burp to make it work in exactly the way that you want it to.

    The possibilities contained within the Bambdas functionality are theoretically endless. As the feature develops, we believe it’ll enable you to replace the age-old frustrated cry of “Why can’t Burp do this?” with a shiny new phrase. “I wonder if I can create a Bambda to make this work the way I need it to?”.

    How to work with Bambdas

    The first Bambda we’ve introduced enables you to write custom filters for the Proxy HTTP history. To help you get to grips with the unique potential of this functionality, we’ve created some examples to showcase some interesting request and response filters you might want to try.

    Find requests with a specific cookie value

    //Find requests with a specific cookie value
    if (requestResponse.request().hasParameter("foo", HttpParameterType.COOKIE)) {
    var cookieValue = requestResponse
    .request()
    .parameter("foo", HttpParameterType.COOKIE)
    .value();

    return cookieValue.contains("1337");
    }

    return false;

    Find JSON responses with wrong Content-Type

    //Find JSON respones with wrong Content-Type
    //The content is probably json but the content type is not application/json

    var contentType = requestResponse.response().headerValue("Content-Type");

    if (contentType != null && !contentType.contains("application/json")) {
    String body = requestResponse.response().bodyToString().trim();

    return body.startsWith( "{" ) || body.startsWith( "[" );
    }

    return false;

    Find role within JWT claims

    //Find role within JWT claims
    var body = requestResponse.response().bodyToString().trim();

    if (requestResponse.response().hasHeader("authorization")) {
    var authValue = requestResponse.response().headerValue("authorization");

    if (authValue.startsWith("Bearer ey")) {
    var tokens = authValue.split("\\.");

    if (tokens.length == 3) {
    var decodedClaims = utilities().base64Utils().decode(tokens[1], Base64DecodingOptions.URL).toString();

    return decodedClaims.toLowerCase().contains("role");
    }
    }
    }

    return false;

    Some helpful Bambdas code snippets

    Once you’re comfortable with the basics of how Bambdas work, there are a few tricks you might want to utilize to help you get even more value from the functionality. If you’re using something a lot, and want to save yourself some time, you can assign it to a variable. For example:var request = requestResponse.request();

    If you want to check if a parameter exists, and if it’s value is present, you can request it by name and check it for null instead:var cookie = request.parameter("foo", HttpParameterType.COOKIE);

    So that you can see how these code snippets can be applied, we’ve recreated the first example on finding requests with a specific cookie value.

    Hear from the developers of Bambdas

    Sean from the development team is here to introduce you to Bambdas, a unique new way to customize Burp Suite on the fly with small snippets of Java. You’ll learn what a Bambda is, why we’ve built them into Burp Suite, and see a couple of examples of how Bambdas work.

    Resource : https://portswigger.net/blog/introducing-bambdas

    24Nov, 2023
    5 Satellite IoT Connectivity Solutions For Remote Areas

    As part of IoT Week, CRN rounds up five satellite IoT connectivity solutions that can help organizations keep devices connected in remote areas where there is little to no cellular coverage.

    When IoT devices are deployed in areas where there is little to no coverage for cellular networks and other ground-based communications infrastructure, satellite connectivity is there to fill in the gaps.

    In recent years, IoT has become a greater priority for satellite vendors and service providers due to satellite IoT connectivity revenue growing far faster than traditional satellite connectivity revenue, according to Kathryn Weldon, research director at data and analytics firm GlobalData.

    While satellite IoT connectivity has been around for many years, it has recently become more viable as a result of vendors and service providers developing solid business models around low Earth orbit (LEO) satellite technologies after an initial wave of companies failed to do so, Weldon said.

    “There’s a new set of companies, many of which are still doing LEOs as their primary satellite technology but have somehow figured out more of the cost equations and instead of having a whole constellation of satellites, at the beginning, they have staged launches,” she told CRN.

    To address growing demand for satellite IoT connectivity, mobile network operators such as Telefónica, Deutsche Telekom and Skyle has developed new partnerships with satellite providers in recent years to give organizations with IoT fleets a continuum of coverage from cellular networks to satellites.

    “There’s more partnering, and there will continue to be more partnering for the operators and satellite providers,” said Weldon.

    As part of IoT Week, CRN has rounded up five satellite IoT connectivity solutions that can help organizations keep devices connected in remote areas where there is little to no cellular coverage.

    Soracom

    Soracom provides a satellite IOT messaging service that can connect any IoT device or sensor to Astrocast’s network of nanosatellites for areas where there is limited to no cellular coverage.

    The messaging service allows organizations to manage satellite IoT connections and billing alongside cellular, Wi-Fi and low-power wide-area connections through Soracom’s platform, which also enables users to remotely monitor and track their assets.

    Soracom’s service is hardware-agnostic, and it lets organizations ingest data from sensors on any cloud service without the need for a relay server, software development kit or on-device credentials.

    Sateliot

    Sateliot allows devices with narrowband IoT connectivity to communicate over the company’s constellation of satellites to enable “massive adoption of IoT in traditional out-of-coverage areas.”

    Narrowband IoT, also known as NB-IoT, is a subset of the LTE standard for cellular networks that enables a high density of connections for low-cost indoor devices with long battery life.

    By supporting the NB-IoT standard in its satellite technology, Sateliot said it’s able to “provide service at a similar cost and price to that of terrestrial cellular networks.”

    The Barcelona, Spain-based company’s satellite service is provided through mobile network operators like Telefonica as well as mobile virtual network operators.

    Myriota

    Myriota enables satellite connectivity for IoT devices through its Myriota Modules, which securely transfers data to the cloud through its nanosatellites without the need for ground-based infrastructure.

    The Australian company said its Myriota Modules contain patented technology that reduces energy use and increases longer battery life for IoT devices with the modules installed. These modules send “almost imperceptible” signals to Myriota’s satellites, which can support billions of devices.

    Data collected by Myriota’s satellites are sent down to a global network of satellite ground stations and processed in the cloud, which the company makes accessible though an API.

    Inmarasat

    Inmarasat provides a large portfolio of satellite IoT connectivity services with “unrivalled levels of reliability, choice and mobility” for enterprises.

    The company’s services include the BGAN M2M two-way IP data service for long-term management of machine-to-machine communication, the IsatData Pro service for tracking and monitoring assets and a leasing program that lets enterprises create a virtual network using its satellite constellations.

    These services are part of Inmarasat’s Elera IoT connectivity platform, which takes advantage of its Elera L-band satellite network. Target industries for these services include agriculture, transport and logistics, mining, oil and gas and electrical utilities.

    Vodafone

    Vodafone offers what it calls the “first global cellular and satellite IOT managed connectivity service,” which combines the company’s cellular network with Inmarasat’s BGAN satellite network.

    The service relies on the Vodafone Global SIM card, which sits within Inmarasat satellite terminals and connects devices to the satellite network when they enter roaming.

    Vodafone’s platform features enhanced device management functionality and supports more than 250 device types, with the ability to add new ones on demand.

    Resource : https://www.crn.com/news/internet-of-things/5-satellite-iot-connectivity-solutions-for-remote-areas/6

    23Nov, 2023
    Ather to launch affordable family scooter in 2024

    An Evolution 450 series is also set to be introduced early next year, with best-in-class features and a premium price tag

    One of the country’s leading electric manufacturers, Ather Energy, is set to launch a family scooter in 2024, the CEO and co-founder, Tarun Mehta, announced on his social media page.

    “After spending a decade perfecting the Ather 450, we now believe that there’s demand for something more. So many folks love,” he wrote on X, formally known as Twitter. The new scooter will be positioned in the affordable category.

    According to the co-founder, as a brand, they aim to develop bigger and more family-oriented scooters. “It’s designed with your entire family in mind, offering comfort, ample size, and a whole lot more—all wrapped up in one fantastic package. Even better? We’re ensuring it’s affordable, making the Ather family experience accessible to more people.”

    In addition, the EV maker is also set to introduce an Evolution 450 series early next year. However, unlike the family scooter, the new iteration will be offered at a premium price.

    “So, for those who loved the 450X, we’re shortly introducing an evolution of the 450 series. This new iteration is set to be the absolute pinnacle of refined performance. It will have best-in-class features that will redefine your riding experience. We’re launching in early 2024, and yes, it comes with a premium price tag,” Mehta posted on X.

    Resource : https://www.thehindubusinessline.com/companies/ather-to-launch-affordable-family-scooter-in-2024/article67562706.ece

    23Nov, 2023
    India emerges top-5 victim of cyber attacks in H1 CY23

    Cyber threat landscape in India is becoming more dangerous as the country emerged as a top-five geography in the world when it comes to the highest number of detections and malware detections; and online banking malware detections in the first half of 2023.

    “India is among the top five countries globally for malware detections, accounting for 5.5 per cent 90,945 ransomware detections in the first half,” a mid-year cybersecurity report prepared by Trend Micro said.

    Similarly, India is ranked number 4 globally in online banking malware detections, contributing to a concerning 8.2 per cent of all global threats. “In the first half of 2023, a substantial 5,609 online malware threats were identified,” the report said.

    “India has also emerged as a top-3 geography for the highest detections of risk events in the first half of 2023, after the US and Brazil.

    Affected sectors

    The government sector faced 18,862 malware attacks, while the banking sector faced 15,514 malware attacks.

    “Manufacturing, Government, and banking industries were the hardest hit in the country, with malware families like COIMINER, MIMIKATZ, and POWLOAD posing significant risks,” the report said.

    “India is at a crossroads in cybersecurity. As cybercriminals become more sophisticated, our digital defenses are constantly being challenged. The rise of ransomware and malware attacks has had a significant impact on key sectors of our economy,” Vijendra Katiyar, Country Manager for India & SAARC at Trend Micro, said.

    “To stay ahead of the curve, organisations need to be proactive in anticipating threats and bolstering their defenses with a unified cybersecurity platform,” he said.

    Globally, over 85 billion threats were blocked in the first half of 2023, including 37 billion email threats and 46 billion malicious files.

    “Globally, the top 3 industries that detected the highest number of ransomware attacks are banking, retail, and transportation,” the report said.

    Resource : https://www.thehindubusinessline.com/info-tech/india-emerges-top-5-victim-of-cyber-attacks-in-h1-cy23/article67412924.ece